CVE-2017-15132 — Uncontrolled Resource Consumption in Dovecot

CWE-400 — Uncontrolled Resource Consumption CWE-772 — Missing Release of Resource after Effective Lifetime9 documents7 sources

Severity

7.5HIGHNVD

EPSS

4.6%

top 10.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dovecot Debian Dovecot THE Dovecot Project Dovecot +2 more

Timeline

PublishedJan 25

Latest updateMay 13

Description

A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/dovecot< dovecot 1:2.2.34-1 (bookworm)

▶Debiandovecot/dovecot< 1:2.2.34-1+3

▶NVDdovecot/dovecot2.0.0 — 2.2.33+1

▶CVEListV5the_dovecot_project/dovecot2.0 up to 2.2.33 and 2.3.0

Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 12.04, 14.04, 16.04, 17.10

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-f5gc-665w-jv83: A flaw was found in dovecot 2↗2022-05-13

▶

OSV

CVE-2017-15132: A flaw was found in dovecot 2↗2018-01-25

▶

📋Vendor Advisories

Ubuntu

Dovecot vulnerability↗2018-02-01

▶

Ubuntu

Dovecot vulnerabilities↗2018-02-01

▶

Red Hat

dovecot: Auth leaks memory if SASL authentication is aborted↗2018-01-09

▶

Debian

CVE-2017-15132: dovecot - A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authent...↗2017

▶

💬Community

Bugzilla

CVE-2017-15132 dovecot: Auth leaks memory if SASL authentication is aborted [fedora-all]↗2018-01-25

▶

Bugzilla

CVE-2017-15132 dovecot: Auth leaks memory if SASL authentication is aborted↗2018-01-09

▶